I was trying to explain software security to a friend the other day. The friend knew a bit about network security and figured firewalls were the beginning and end of computer security.

I ended up using a bank analogy. The bank's security division understands the bank's assets and has the expertise to lay out the bank--where to put exits and entrances, surveillance cameras and guards, tellers, bank managers, and bathrooms--to reduce the risk of theft. They also understand the security properties of safes, and they figure out what type of safes are needed and where they should go.

In contrast to the bank's security group, a software security team would be similar to a safe-security group at the safe manufacturer. They help with the design, construction, and testing of safes so that the bank's security group has some assurance that the safe they are installing has the security properties needed for the type of asset the safe will hold and its location in the bank. Both of these capabilities are necessary to produce an appropriately secure bank.

Unfortunately, most of the software we use wasn't constructed with the attention to security that goes into building a safe. I think that needs to change. We need to get to the point where we think of software, especially software that handles and stores sensitive information like passwords, credit card numbers, and health records, as a vault. To get there, we need software security people helping out with the design, construction, and testing of software.

Dedication

My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.